December 2, 2024 at 05:41PM
A new phishing campaign exploits Microsoft Word’s file recovery feature with corrupted document attachments, evading security measures. These emails, disguised as payroll communications, prompt users to scan a QR code leading to a credential-stealing site. Most antivirus solutions fail to detect these attachments, enhancing their effectiveness.
### Meeting Takeaways
1. **New Phishing Technique:**
– A novel phishing attack exploits Microsoft’s Word file recovery feature. Corrupted Word documents are sent as email attachments to bypass security software.
2. **Attack Vectors:**
– Threat actors are continuously seeking methods to evade email security systems.
– The recent campaign, identified by malware hunting firm Any.Run, uses corrupted documents appearing to be from payroll and HR departments.
3. **Email Attachment Themes:**
– Common themes for the phishing attachments include employee benefits and bonuses.
– Examples of file names used in the campaign:
– Annual_Benefits_&_Bonus_for_[name]_[random_string].docx
– Q4_Benefits_&_Bonus_for_[name]_[random_string].docx.bin
4. **Technical Analysis:**
– These files contain a base64 encoded string (“IyNURVhUTlVNUkFORE9NNDUjIw”) that decodes to “##TEXTNUMRANDOM45##”.
– Opening these documents prompts a Word error indicating “unreadable content” and offers a recovery option.
5. **Malicious Intent:**
– Once recovered, documents instruct users to scan a QR code which leads them to a phishing site mimicking a Microsoft login page to steal credentials.
6. **Detection Evasion:**
– The corrupted nature of these documents makes them largely undetectable by antivirus solutions. Many attachments received “clean” results on VirusTotal.
7. **Recommendations for Protection:**
– Users should delete emails from unknown senders, especially if attachments are included.
– Always confirm with a network administrator before opening suspicious emails.
### Conclusion:
This meeting has underscored the significance of cybersecurity awareness, particularly regarding the evolving methods of phishing attacks. It highlights the necessity for vigilant email practices to safeguard against such threats.